Flow Configuration
Choose how users verify their identity in your project
Configure your authentication flow from the Flow Configuration tab in your project settings. The visual editor shows your flow as an interactive diagram — click any step to open its settings. Changes take effect when you hit Save and apply to both the signup and signin flows.
The flow follows four stages: a device check determines whether the user is on a recognized device, then primary verification confirms their identity, followed by an optional MFA step, before reaching authenticated status. Users on a bootstrapped device can skip ahead based on your configuration.
Phases
Each flow has three configurable phases:
| Phase | What it does |
|---|---|
| 1. Primary | How users verify their identity (required) |
| 2. MFA | Optional second factor for extra security |
| 3. Device Trust | Remember this device for faster future logins |
Primary Verification
Choose one or more methods users can use to prove their identity. At least one method is required.
| Method | Description |
|---|---|
| Email OTP | 6-digit code sent via email |
| SMS OTP | 6-digit code sent via SMS |
| Magic Link | One-click email link |
Multi-Factor Authentication
Add a second layer of security after primary verification. Set the MFA Policy to control when MFA runs:
| Policy | What it means |
|---|---|
| Off | MFA never runs |
| Optional | MFA runs only if the user has already set up an MFA method |
| Required | All users must complete MFA — at least one MFA method must be selected |
When MFA is Optional or Required, choose which methods are available:
| Method | Description |
|---|---|
| Email OTP | 6-digit code via email |
| SMS OTP | 6-digit code via SMS |
| TOTP | Authenticator app code |
| QR Code | Scan to authenticate |
| Push | One-tap approval |
Device Trust
Hawcx uses zero-knowledge proof (ZKP) based device enrollment to bootstrap trust with a user's device. Once a device is bootstrapped, returning users get a faster login experience.
How device bootstrapping works
- User completes primary authentication on a new device
- The SDK generates a cryptographic key pair on the device
- The device is registered with the server using a zero-knowledge proof
Bootstrapped device benefits
When a user returns on a bootstrapped device, you can skip steps to speed up login:
- Skip MFA on bootstrapped device — no second factor required on bootstrapped devices (on by default)
In the flow editor, click the Yes pill on the bypass path to configure whether bootstrapped devices skip MFA.
The flow diagram updates in real time to reflect your settings. If MFA is disabled or skip-MFA is enabled, bootstrapped devices bypass straight to Authenticated. Otherwise, they skip primary auth but still complete MFA.